Windows XP infection rate may jump 66% after patches end in April

Microsoft yesterday again but the scare into Windows XP users, telling them that after April 8, 2014, the chance that malware will infect their PCs could jump by two-thirds.

The claim, made by Tim Rains, director of Microsoft's Trustworthy Computing group, came on the heels of the release of the company's twice-annual Security Intelligence Report ( download PDF).

Following up on comments he made in August, Rains again warned Windows XP stragglers to expect an increase in attacks when the aged operating system exits support in five months.

"After end of support, attackers will have an advantage over defenders who continue to run Windows XP," Rains asserted in a Tuesday post to a company blog. "After April next year, when we release monthly security updates for supported versions of Windows, attackers will try and reverse engineer them to identify any vulnerabilities that also exist in Windows XP. If they succeed, attackers will have the capability to develop exploit code to take advantage of them."

Rains then went a step further, and cited statistics from Microsoft's own telemetry-gathering efforts to give customers an idea of the increased threat after support ends.

"We have already had a glimpse into what happens when a Windows XP-based platform goes out of support," Rains added. "In the two years after Windows XP Service Pack 2 went out of support, its malware infection rate was 66% higher than Windows XP Service Pack 3 -- the last supported version of Windows XP."

Support for Windows XP Service Pack 2 (SP2) ended in July 2010, a little over two years after the release of XP SP3.

In a chart accompanying his comments, Rains showed the higher infection rate of Windows XP SP2 when compared to SP3. The two started out with similar infection rates, but began to diverge in the first quarter of 2011, with the largest gap in Q4 of that year. Since then, the difference between the two has narrowed: In the fourth quarter of 2012, the latest shown in the chart, the gap appeared to be approximately four computers per thousand -- 12 for SP3 versus 16 for SP2 -- representing a 33% increase in the latter's infection rate.

While there could be other reasons for the different infection rates, including lack of up-to-date security software, Rains' implied assumption was that it was because XP SP2 had not been patched -- because it could not be -- while XP SP3 had been.

Microsoft has been extremely blunt about the danger customers will face next year after Windows XP support vanishes, belittling the creaky OS's security prowess, even attacking it at times. That's unusual. Microsoft's usual tactic is to simply ignore an older operating system, as it does Windows Vista, the flop that now accounts for just 4% of all Windows PCs.

"You never heard Microsoft tell Windows Millennium users that they had to upgrade," said Michael Cherry, an analyst with Directions on Microsoft, referring to a September 2000 edition that quickly vanished after XP's appearance a year later.

But things are different this time around.

"This is the first time that Microsoft has had to put its foot down," Cherry continued. "Pre-XP, there were always sufficient changes to the underlying hardware and the operating system to prompt people to upgrade to newer PCs and a new Windows. With XP that didn't happen. It's the first time when we've had insufficient hardware changes. XP was the first Windows that was 'good enough.' So this isn't like before."

Cynics see other reasons behind Microsoft's bash-XP drumbeat, as the company has used, included on Tuesday, the opportunity to trumpet Windows 8's improved security and urged customers to upgrade to the newest OS. And it's not like Microsoft's hands are tied; it's not being forced into dropping Windows XP off the support list. The company's security engineers will continue to craft patches for XP for at least several years after next April. Only large enterprises and organizations that have paid millions for special support contracts will receive those patches, however.

But Microsoft will stand firm, said Cherry and others yesterday.

"Microsoft is saying, 'Look, get the message ... we're serious this time,'" Cherry said. "If they waver in any way from this message, people will stop migrating."

"We have to think about an operating system like any other product. It has a use-by date," said John Pescatore, director of emerging security trends at the SANS Institute. "After that, you're on your own. You can't continue to expect them to release patches forever. When a tire is bald, you can't just put more patches on it."

While Pescatore has long held the opinion that Microsoft would not back off its XP retirement plans -- saying last year that the company had drawn "a line in the sand" -- Cherry once thought there was a chance that Microsoft would change its mind as the deadline approached.

No longer.

"I'm drifting away from that [opinion]," Cherry said Tuesday. "XP is dropping faster that I had expected."

True. Since August 1, according to metrics company Net Applications, Windows XP's user share has dropped nearly six percentage points. As of the end of September, it accounted for 35% of all editions of Windows in use worldwide.

Microsoft claims it's much lower than that in the enterprise. Last week, Amy Hood, the company's chief financial officer, said that 75% of corporate PCs were running Windows 7, implying that most of the rest were still on XP.

"When you start to get into 25% and below [for XP], support retirement is going to be a less significant event," contended Cherry, especially where Microsoft is concerned, in the enterprise, the bastion of Windows. "That's Microsoft's number. It's what they believe," Cherry added, meaning other estimates of XP's prevalence are immaterial to the company as it ponders, if it ever did, a support extension.

Not every expert concurred. Lawrence Pingree, an analyst with Gartner, believed Microsoft owed it to customers to continue supporting Windows XP. After all, the company's own missteps -- the delay between XP and Vista, the rough edges of the latter, and a two-year extension to support for XP -- were largely the cause of the OS's longevity and resulting entrenchment.

"Anyone can understand why any OS manufacturer wants to dedicate resources for new versions of their OS," said Pingree in an email. "However, security patch availability should be based on market share and penetration rates, otherwise the manufacturer does a disservice to its customers.

"Using an analogy: Does a car manufacturer bear responsibility to recall versions of cars that are being driven but not actively manufactured? My sense is yes. What is the responsible thing to do?" Pingree asked.

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.